From: Greg Kroah-Hartman Date: Wed, 15 Mar 2017 07:58:03 +0000 (+0800) Subject: 4.10-stable patches X-Git-Tag: v4.4.55~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a3138db1bb05ac8316f8f4162ddf4b97fb1da76b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.10-stable patches added patches: drm-i915-gvt-fix-superfluous-newline-in-gvt_display_ready-env-var.patch dw2102-don-t-do-dma-on-stack.patch efi-arm-fix-boot-crash-with-config_cpumask_offstack-y.patch i2c-add-missing-of_node_put-in-i2c_mux_del_adapters.patch i2c-bcm2835-avoid-possible-null-ptr-dereference.patch kvm-arm-arm64-let-vcpu-thread-modify-its-own-active-state.patch kvm-s390-fix-guest-migration-for-huge-guests-resulting-in-panic.patch pci-prevent-vpd-access-for-qlogic-isp2722.patch powerpc-booke-fix-boot-crash-due-to-null-hugepd.patch powerpc-emulation-support-for-load-store-instructions-on-le.patch powerpc-xics-work-around-limitations-of-opal-xics-priority-handling.patch revert-usb-gadget-uvc-add-missing-call-for-additional-setup-data.patch serial-samsung-continue-to-work-if-dma-request-fails.patch tracing-add-undef-to-fix-compile-error.patch ucount-remove-the-atomicity-from-ucount-count.patch usb-dwc3-gadget-make-set-endpoint-configuration-macros-safe.patch usb-dwc3-omap-fix-missing-break-in-dwc3_omap_set_mailbox.patch usb-gadget-dummy_hcd-clear-usb_gadget-region-before-registration.patch usb-gadget-function-f_fs-pass-companion-descriptor-along.patch usb-host-xhci-dbg-hciversion-should-be-a-binary-number.patch usb-host-xhci-plat-fix-timeout-on-removal-of-hot-pluggable-xhci-controllers.patch usb-iowarrior-fix-null-deref-at-probe.patch usb-iowarrior-fix-null-deref-in-write.patch usb-ohci-at91-do-not-drop-unhandled-usb-suspend-control-requests.patch usb-serial-io_ti-fix-information-leak-in-completion-handler.patch usb-serial-io_ti-fix-null-deref-in-interrupt-callback.patch usb-serial-omninet-fix-reference-leaks-at-open.patch usb-serial-safe_serial-fix-information-leak-in-completion-handler.patch --- diff --git a/queue-4.10/drm-i915-gvt-fix-superfluous-newline-in-gvt_display_ready-env-var.patch b/queue-4.10/drm-i915-gvt-fix-superfluous-newline-in-gvt_display_ready-env-var.patch new file mode 100644 index 00000000000..30251d396b7 --- /dev/null +++ b/queue-4.10/drm-i915-gvt-fix-superfluous-newline-in-gvt_display_ready-env-var.patch @@ -0,0 +1,57 @@ +From d8e9b2b9097c117880dc22933239d05199c60b96 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 20 Feb 2017 14:58:25 +0100 +Subject: drm/i915/gvt: Fix superfluous newline in GVT_DISPLAY_READY env var + +From: Takashi Iwai + +commit d8e9b2b9097c117880dc22933239d05199c60b96 upstream. + +send_display_send_uevent() sends two environment variable, and the +first one GVT_DISPLAY_READY is set including a new line at the end of +the string; that is obviously superfluous and wrong -- at least, it +*looks* so when you only read the code. + +However, it doesn't appear in the actual output by a (supposedly +unexpected) trick. The code uses snprintf() and truncates the string +in size 20 bytes. This makes the string as GVT_DISPLAY_READY=0 or +...=1 including the trailing NUL-letter. That is, the '\n' found in +the format string is always cut off as a result. + +Although the code gives the correct result, it is confusing. This +patch addresses it, just removing the superfluous '\n' from the format +string for avoiding further confusion. If the argument "ready" were +not a bool, the size 20 should be corrected as well. But it's a +bool, so we can leave the magic number 20 as is for now. + +FWIW, the bug was spotted by a new GCC7 warning: + drivers/gpu/drm/i915/gvt/handlers.c: In function 'pvinfo_mmio_write': + drivers/gpu/drm/i915/gvt/handlers.c:1042:34: error: 'snprintf' output truncated before the last format character [-Werror=format-truncation=] + snprintf(display_ready_str, 20, "GVT_DISPLAY_READY=%d\n", ready); + ^~~~~~~~~~~~~~~~~~~~~~~~ + drivers/gpu/drm/i915/gvt/handlers.c:1042:2: note: 'snprintf' output 21 bytes into a destination of size 20 + snprintf(display_ready_str, 20, "GVT_DISPLAY_READY=%d\n", ready); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Fixes: 04d348ae3f0a ("drm/i915/gvt: vGPU display virtualization") +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1025903 +Reported-by: Richard Biener +Signed-off-by: Takashi Iwai +Signed-off-by: Zhenyu Wang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/gvt/handlers.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/gvt/handlers.c ++++ b/drivers/gpu/drm/i915/gvt/handlers.c +@@ -1039,7 +1039,7 @@ static int send_display_ready_uevent(str + char vmid_str[20]; + char display_ready_str[20]; + +- snprintf(display_ready_str, 20, "GVT_DISPLAY_READY=%d\n", ready); ++ snprintf(display_ready_str, 20, "GVT_DISPLAY_READY=%d", ready); + env[0] = display_ready_str; + + snprintf(vmid_str, 20, "VMID=%d", vgpu->id); diff --git a/queue-4.10/dw2102-don-t-do-dma-on-stack.patch b/queue-4.10/dw2102-don-t-do-dma-on-stack.patch new file mode 100644 index 00000000000..d94139c9ca5 --- /dev/null +++ b/queue-4.10/dw2102-don-t-do-dma-on-stack.patch @@ -0,0 +1,433 @@ +From 606142af57dad981b78707234cfbd15f9f7b7125 Mon Sep 17 00:00:00 2001 +From: Jonathan McDowell +Date: Wed, 15 Feb 2017 18:29:15 -0200 +Subject: [media] dw2102: don't do DMA on stack + +From: Jonathan McDowell + +commit 606142af57dad981b78707234cfbd15f9f7b7125 upstream. + +On Kernel 4.9, WARNINGs about doing DMA on stack are hit at +the dw2102 driver: one in su3000_power_ctrl() and the other in tt_s2_4600_frontend_attach(). + +Both were due to the use of buffers on the stack as parameters to +dvb_usb_generic_rw() and the resulting attempt to do DMA with them. + +The device was non-functional as a result. + +So, switch this driver over to use a buffer within the device state +structure, as has been done with other DVB-USB drivers. + +Tested with TechnoTrend TT-connect S2-4600. + +[mchehab@osg.samsung.com: fixed a warning at su3000_i2c_transfer() that + state var were dereferenced before check 'd'] +Signed-off-by: Jonathan McDowell +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/dw2102.c | 242 ++++++++++++++++++++++--------------- + 1 file changed, 144 insertions(+), 98 deletions(-) + +--- a/drivers/media/usb/dvb-usb/dw2102.c ++++ b/drivers/media/usb/dvb-usb/dw2102.c +@@ -68,6 +68,7 @@ + struct dw2102_state { + u8 initialized; + u8 last_lock; ++ u8 data[MAX_XFER_SIZE + 4]; + struct i2c_client *i2c_client_demod; + struct i2c_client *i2c_client_tuner; + +@@ -661,62 +662,72 @@ static int su3000_i2c_transfer(struct i2 + int num) + { + struct dvb_usb_device *d = i2c_get_adapdata(adap); +- u8 obuf[0x40], ibuf[0x40]; ++ struct dw2102_state *state; + + if (!d) + return -ENODEV; ++ ++ state = d->priv; ++ + if (mutex_lock_interruptible(&d->i2c_mutex) < 0) + return -EAGAIN; ++ if (mutex_lock_interruptible(&d->data_mutex) < 0) { ++ mutex_unlock(&d->i2c_mutex); ++ return -EAGAIN; ++ } + + switch (num) { + case 1: + switch (msg[0].addr) { + case SU3000_STREAM_CTRL: +- obuf[0] = msg[0].buf[0] + 0x36; +- obuf[1] = 3; +- obuf[2] = 0; +- if (dvb_usb_generic_rw(d, obuf, 3, ibuf, 0, 0) < 0) ++ state->data[0] = msg[0].buf[0] + 0x36; ++ state->data[1] = 3; ++ state->data[2] = 0; ++ if (dvb_usb_generic_rw(d, state->data, 3, ++ state->data, 0, 0) < 0) + err("i2c transfer failed."); + break; + case DW2102_RC_QUERY: +- obuf[0] = 0x10; +- if (dvb_usb_generic_rw(d, obuf, 1, ibuf, 2, 0) < 0) ++ state->data[0] = 0x10; ++ if (dvb_usb_generic_rw(d, state->data, 1, ++ state->data, 2, 0) < 0) + err("i2c transfer failed."); +- msg[0].buf[1] = ibuf[0]; +- msg[0].buf[0] = ibuf[1]; ++ msg[0].buf[1] = state->data[0]; ++ msg[0].buf[0] = state->data[1]; + break; + default: + /* always i2c write*/ +- obuf[0] = 0x08; +- obuf[1] = msg[0].addr; +- obuf[2] = msg[0].len; ++ state->data[0] = 0x08; ++ state->data[1] = msg[0].addr; ++ state->data[2] = msg[0].len; + +- memcpy(&obuf[3], msg[0].buf, msg[0].len); ++ memcpy(&state->data[3], msg[0].buf, msg[0].len); + +- if (dvb_usb_generic_rw(d, obuf, msg[0].len + 3, +- ibuf, 1, 0) < 0) ++ if (dvb_usb_generic_rw(d, state->data, msg[0].len + 3, ++ state->data, 1, 0) < 0) + err("i2c transfer failed."); + + } + break; + case 2: + /* always i2c read */ +- obuf[0] = 0x09; +- obuf[1] = msg[0].len; +- obuf[2] = msg[1].len; +- obuf[3] = msg[0].addr; +- memcpy(&obuf[4], msg[0].buf, msg[0].len); ++ state->data[0] = 0x09; ++ state->data[1] = msg[0].len; ++ state->data[2] = msg[1].len; ++ state->data[3] = msg[0].addr; ++ memcpy(&state->data[4], msg[0].buf, msg[0].len); + +- if (dvb_usb_generic_rw(d, obuf, msg[0].len + 4, +- ibuf, msg[1].len + 1, 0) < 0) ++ if (dvb_usb_generic_rw(d, state->data, msg[0].len + 4, ++ state->data, msg[1].len + 1, 0) < 0) + err("i2c transfer failed."); + +- memcpy(msg[1].buf, &ibuf[1], msg[1].len); ++ memcpy(msg[1].buf, &state->data[1], msg[1].len); + break; + default: + warn("more than 2 i2c messages at a time is not handled yet."); + break; + } ++ mutex_unlock(&d->data_mutex); + mutex_unlock(&d->i2c_mutex); + return num; + } +@@ -844,17 +855,23 @@ static int su3000_streaming_ctrl(struct + static int su3000_power_ctrl(struct dvb_usb_device *d, int i) + { + struct dw2102_state *state = (struct dw2102_state *)d->priv; +- u8 obuf[] = {0xde, 0}; ++ int ret = 0; + + info("%s: %d, initialized %d", __func__, i, state->initialized); + + if (i && !state->initialized) { ++ mutex_lock(&d->data_mutex); ++ ++ state->data[0] = 0xde; ++ state->data[1] = 0; ++ + state->initialized = 1; + /* reset board */ +- return dvb_usb_generic_rw(d, obuf, 2, NULL, 0, 0); ++ ret = dvb_usb_generic_rw(d, state->data, 2, NULL, 0, 0); ++ mutex_unlock(&d->data_mutex); + } + +- return 0; ++ return ret; + } + + static int su3000_read_mac_address(struct dvb_usb_device *d, u8 mac[6]) +@@ -1309,49 +1326,57 @@ static int prof_7500_frontend_attach(str + return 0; + } + +-static int su3000_frontend_attach(struct dvb_usb_adapter *d) ++static int su3000_frontend_attach(struct dvb_usb_adapter *adap) + { +- u8 obuf[3] = { 0xe, 0x80, 0 }; +- u8 ibuf[] = { 0 }; ++ struct dvb_usb_device *d = adap->dev; ++ struct dw2102_state *state = d->priv; ++ ++ mutex_lock(&d->data_mutex); + +- if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0) ++ state->data[0] = 0xe; ++ state->data[1] = 0x80; ++ state->data[2] = 0; ++ ++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0) + err("command 0x0e transfer failed."); + +- obuf[0] = 0xe; +- obuf[1] = 0x02; +- obuf[2] = 1; ++ state->data[0] = 0xe; ++ state->data[1] = 0x02; ++ state->data[2] = 1; + +- if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0) ++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0) + err("command 0x0e transfer failed."); + msleep(300); + +- obuf[0] = 0xe; +- obuf[1] = 0x83; +- obuf[2] = 0; ++ state->data[0] = 0xe; ++ state->data[1] = 0x83; ++ state->data[2] = 0; + +- if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0) ++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0) + err("command 0x0e transfer failed."); + +- obuf[0] = 0xe; +- obuf[1] = 0x83; +- obuf[2] = 1; ++ state->data[0] = 0xe; ++ state->data[1] = 0x83; ++ state->data[2] = 1; + +- if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0) ++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0) + err("command 0x0e transfer failed."); + +- obuf[0] = 0x51; ++ state->data[0] = 0x51; + +- if (dvb_usb_generic_rw(d->dev, obuf, 1, ibuf, 1, 0) < 0) ++ if (dvb_usb_generic_rw(d, state->data, 1, state->data, 1, 0) < 0) + err("command 0x51 transfer failed."); + +- d->fe_adap[0].fe = dvb_attach(ds3000_attach, &su3000_ds3000_config, +- &d->dev->i2c_adap); +- if (d->fe_adap[0].fe == NULL) ++ mutex_unlock(&d->data_mutex); ++ ++ adap->fe_adap[0].fe = dvb_attach(ds3000_attach, &su3000_ds3000_config, ++ &d->i2c_adap); ++ if (adap->fe_adap[0].fe == NULL) + return -EIO; + +- if (dvb_attach(ts2020_attach, d->fe_adap[0].fe, ++ if (dvb_attach(ts2020_attach, adap->fe_adap[0].fe, + &dw2104_ts2020_config, +- &d->dev->i2c_adap)) { ++ &d->i2c_adap)) { + info("Attached DS3000/TS2020!"); + return 0; + } +@@ -1360,47 +1385,55 @@ static int su3000_frontend_attach(struct + return -EIO; + } + +-static int t220_frontend_attach(struct dvb_usb_adapter *d) ++static int t220_frontend_attach(struct dvb_usb_adapter *adap) + { +- u8 obuf[3] = { 0xe, 0x87, 0 }; +- u8 ibuf[] = { 0 }; ++ struct dvb_usb_device *d = adap->dev; ++ struct dw2102_state *state = d->priv; ++ ++ mutex_lock(&d->data_mutex); + +- if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0) ++ state->data[0] = 0xe; ++ state->data[1] = 0x87; ++ state->data[2] = 0x0; ++ ++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0) + err("command 0x0e transfer failed."); + +- obuf[0] = 0xe; +- obuf[1] = 0x86; +- obuf[2] = 1; ++ state->data[0] = 0xe; ++ state->data[1] = 0x86; ++ state->data[2] = 1; + +- if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0) ++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0) + err("command 0x0e transfer failed."); + +- obuf[0] = 0xe; +- obuf[1] = 0x80; +- obuf[2] = 0; ++ state->data[0] = 0xe; ++ state->data[1] = 0x80; ++ state->data[2] = 0; + +- if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0) ++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0) + err("command 0x0e transfer failed."); + + msleep(50); + +- obuf[0] = 0xe; +- obuf[1] = 0x80; +- obuf[2] = 1; ++ state->data[0] = 0xe; ++ state->data[1] = 0x80; ++ state->data[2] = 1; + +- if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0) ++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0) + err("command 0x0e transfer failed."); + +- obuf[0] = 0x51; ++ state->data[0] = 0x51; + +- if (dvb_usb_generic_rw(d->dev, obuf, 1, ibuf, 1, 0) < 0) ++ if (dvb_usb_generic_rw(d, state->data, 1, state->data, 1, 0) < 0) + err("command 0x51 transfer failed."); + +- d->fe_adap[0].fe = dvb_attach(cxd2820r_attach, &cxd2820r_config, +- &d->dev->i2c_adap, NULL); +- if (d->fe_adap[0].fe != NULL) { +- if (dvb_attach(tda18271_attach, d->fe_adap[0].fe, 0x60, +- &d->dev->i2c_adap, &tda18271_config)) { ++ mutex_unlock(&d->data_mutex); ++ ++ adap->fe_adap[0].fe = dvb_attach(cxd2820r_attach, &cxd2820r_config, ++ &d->i2c_adap, NULL); ++ if (adap->fe_adap[0].fe != NULL) { ++ if (dvb_attach(tda18271_attach, adap->fe_adap[0].fe, 0x60, ++ &d->i2c_adap, &tda18271_config)) { + info("Attached TDA18271HD/CXD2820R!"); + return 0; + } +@@ -1410,23 +1443,30 @@ static int t220_frontend_attach(struct d + return -EIO; + } + +-static int m88rs2000_frontend_attach(struct dvb_usb_adapter *d) ++static int m88rs2000_frontend_attach(struct dvb_usb_adapter *adap) + { +- u8 obuf[] = { 0x51 }; +- u8 ibuf[] = { 0 }; ++ struct dvb_usb_device *d = adap->dev; ++ struct dw2102_state *state = d->priv; ++ ++ mutex_lock(&d->data_mutex); + +- if (dvb_usb_generic_rw(d->dev, obuf, 1, ibuf, 1, 0) < 0) ++ state->data[0] = 0x51; ++ ++ if (dvb_usb_generic_rw(d, state->data, 1, state->data, 1, 0) < 0) + err("command 0x51 transfer failed."); + +- d->fe_adap[0].fe = dvb_attach(m88rs2000_attach, &s421_m88rs2000_config, +- &d->dev->i2c_adap); ++ mutex_unlock(&d->data_mutex); + +- if (d->fe_adap[0].fe == NULL) ++ adap->fe_adap[0].fe = dvb_attach(m88rs2000_attach, ++ &s421_m88rs2000_config, ++ &d->i2c_adap); ++ ++ if (adap->fe_adap[0].fe == NULL) + return -EIO; + +- if (dvb_attach(ts2020_attach, d->fe_adap[0].fe, ++ if (dvb_attach(ts2020_attach, adap->fe_adap[0].fe, + &dw2104_ts2020_config, +- &d->dev->i2c_adap)) { ++ &d->i2c_adap)) { + info("Attached RS2000/TS2020!"); + return 0; + } +@@ -1439,44 +1479,50 @@ static int tt_s2_4600_frontend_attach(st + { + struct dvb_usb_device *d = adap->dev; + struct dw2102_state *state = d->priv; +- u8 obuf[3] = { 0xe, 0x80, 0 }; +- u8 ibuf[] = { 0 }; + struct i2c_adapter *i2c_adapter; + struct i2c_client *client; + struct i2c_board_info board_info; + struct m88ds3103_platform_data m88ds3103_pdata = {}; + struct ts2020_config ts2020_config = {}; + +- if (dvb_usb_generic_rw(d, obuf, 3, ibuf, 1, 0) < 0) ++ mutex_lock(&d->data_mutex); ++ ++ state->data[0] = 0xe; ++ state->data[1] = 0x80; ++ state->data[2] = 0x0; ++ ++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0) + err("command 0x0e transfer failed."); + +- obuf[0] = 0xe; +- obuf[1] = 0x02; +- obuf[2] = 1; ++ state->data[0] = 0xe; ++ state->data[1] = 0x02; ++ state->data[2] = 1; + +- if (dvb_usb_generic_rw(d, obuf, 3, ibuf, 1, 0) < 0) ++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0) + err("command 0x0e transfer failed."); + msleep(300); + +- obuf[0] = 0xe; +- obuf[1] = 0x83; +- obuf[2] = 0; ++ state->data[0] = 0xe; ++ state->data[1] = 0x83; ++ state->data[2] = 0; + +- if (dvb_usb_generic_rw(d, obuf, 3, ibuf, 1, 0) < 0) ++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0) + err("command 0x0e transfer failed."); + +- obuf[0] = 0xe; +- obuf[1] = 0x83; +- obuf[2] = 1; ++ state->data[0] = 0xe; ++ state->data[1] = 0x83; ++ state->data[2] = 1; + +- if (dvb_usb_generic_rw(d, obuf, 3, ibuf, 1, 0) < 0) ++ if (dvb_usb_generic_rw(d, state->data, 3, state->data, 1, 0) < 0) + err("command 0x0e transfer failed."); + +- obuf[0] = 0x51; ++ state->data[0] = 0x51; + +- if (dvb_usb_generic_rw(d, obuf, 1, ibuf, 1, 0) < 0) ++ if (dvb_usb_generic_rw(d, state->data, 1, state->data, 1, 0) < 0) + err("command 0x51 transfer failed."); + ++ mutex_unlock(&d->data_mutex); ++ + /* attach demod */ + m88ds3103_pdata.clk = 27000000; + m88ds3103_pdata.i2c_wr_max = 33; diff --git a/queue-4.10/efi-arm-fix-boot-crash-with-config_cpumask_offstack-y.patch b/queue-4.10/efi-arm-fix-boot-crash-with-config_cpumask_offstack-y.patch new file mode 100644 index 00000000000..61223d9e3b1 --- /dev/null +++ b/queue-4.10/efi-arm-fix-boot-crash-with-config_cpumask_offstack-y.patch @@ -0,0 +1,59 @@ +From d1eb98143c56f24fef125f5bbed49ae0b52fb7d6 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 1 Mar 2017 19:05:54 +0000 +Subject: efi/arm: Fix boot crash with CONFIG_CPUMASK_OFFSTACK=y + +From: Ard Biesheuvel + +commit d1eb98143c56f24fef125f5bbed49ae0b52fb7d6 upstream. + +On ARM and arm64, we use a dedicated mm_struct to map the UEFI +Runtime Services regions, which allows us to map those regions +on demand, and in a way that is guaranteed to be compatible +with incoming kernels across kexec. + +As it turns out, we don't fully initialize the mm_struct in the +same way as process mm_structs are initialized on fork(), which +results in the following crash on ARM if CONFIG_CPUMASK_OFFSTACK=y +is enabled: + + ... + EFI Variables Facility v0.08 2004-May-17 + Unable to handle kernel NULL pointer dereference at virtual address 00000000 + [...] + Process swapper/0 (pid: 1) + ... + __memzero() + check_and_switch_context() + virt_efi_get_next_variable() + efivar_init() + efivars_sysfs_init() + do_one_initcall() + ... + +This is due to a missing call to mm_init_cpumask(), so add it. + +Signed-off-by: Ard Biesheuvel +Cc: Linus Torvalds +Cc: Matt Fleming +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/1488395154-29786-1-git-send-email-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/efi/arm-runtime.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/firmware/efi/arm-runtime.c ++++ b/drivers/firmware/efi/arm-runtime.c +@@ -65,6 +65,7 @@ static bool __init efi_virtmap_init(void + bool systab_found; + + efi_mm.pgd = pgd_alloc(&efi_mm); ++ mm_init_cpumask(&efi_mm); + init_new_context(NULL, &efi_mm); + + systab_found = false; diff --git a/queue-4.10/i2c-add-missing-of_node_put-in-i2c_mux_del_adapters.patch b/queue-4.10/i2c-add-missing-of_node_put-in-i2c_mux_del_adapters.patch new file mode 100644 index 00000000000..dfe2882c28e --- /dev/null +++ b/queue-4.10/i2c-add-missing-of_node_put-in-i2c_mux_del_adapters.patch @@ -0,0 +1,39 @@ +From 2e1e4949f9dfb053122785cd73540bb1e61f768b Mon Sep 17 00:00:00 2001 +From: Qi Hou +Date: Fri, 3 Mar 2017 15:57:11 +0800 +Subject: i2c: add missing of_node_put in i2c_mux_del_adapters + +From: Qi Hou + +commit 2e1e4949f9dfb053122785cd73540bb1e61f768b upstream. + +Refcount of of_node is increased with of_node_get() in i2c_mux_add_adapter(). +It must be decreased with of_node_put() in i2c_mux_del_adapters(). + +Signed-off-by: Qi Hou +Reviewed-by: Zhang Xiao +Signed-off-by: Peter Rosin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/i2c-mux.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/i2c/i2c-mux.c ++++ b/drivers/i2c/i2c-mux.c +@@ -429,6 +429,7 @@ void i2c_mux_del_adapters(struct i2c_mux + while (muxc->num_adapters) { + struct i2c_adapter *adap = muxc->adapter[--muxc->num_adapters]; + struct i2c_mux_priv *priv = adap->algo_data; ++ struct device_node *np = adap->dev.of_node; + + muxc->adapter[muxc->num_adapters] = NULL; + +@@ -438,6 +439,7 @@ void i2c_mux_del_adapters(struct i2c_mux + + sysfs_remove_link(&priv->adap.dev.kobj, "mux_device"); + i2c_del_adapter(adap); ++ of_node_put(np); + kfree(priv); + } + } diff --git a/queue-4.10/i2c-bcm2835-avoid-possible-null-ptr-dereference.patch b/queue-4.10/i2c-bcm2835-avoid-possible-null-ptr-dereference.patch new file mode 100644 index 00000000000..fa509722a64 --- /dev/null +++ b/queue-4.10/i2c-bcm2835-avoid-possible-null-ptr-dereference.patch @@ -0,0 +1,43 @@ +From ababb08938df7ac245d30a58b95b94ecf8dc04fc Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Thu, 16 Feb 2017 21:20:45 +0000 +Subject: i2c: bcm2835: Avoid possible NULL ptr dereference +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stefan Wahren + +commit ababb08938df7ac245d30a58b95b94ecf8dc04fc upstream. + +Since commit e2474541032d ("bcm2835: Fix hang for writing messages +larger than 16 bytes") the interrupt handler is prone to a possible +NULL pointer dereference. This could happen if an interrupt fires +before curr_msg is set by bcm2835_i2c_xfer_msg() and randomly occurs +on the RPi 3. Even this is an unexpected behavior the driver must +handle that with an error instead of a crash. + +Reported-by: Peter Robinson +Fixes: e2474541032d ("bcm2835: Fix hang for writing messages larger than 16 bytes") +Signed-off-by: Stefan Wahren +Acked-by: Noralf Trønnes +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-bcm2835.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-bcm2835.c ++++ b/drivers/i2c/busses/i2c-bcm2835.c +@@ -195,7 +195,9 @@ static irqreturn_t bcm2835_i2c_isr(int t + } + + if (val & BCM2835_I2C_S_DONE) { +- if (i2c_dev->curr_msg->flags & I2C_M_RD) { ++ if (!i2c_dev->curr_msg) { ++ dev_err(i2c_dev->dev, "Got unexpected interrupt (from firmware?)\n"); ++ } else if (i2c_dev->curr_msg->flags & I2C_M_RD) { + bcm2835_drain_rxfifo(i2c_dev); + val = bcm2835_i2c_readl(i2c_dev, BCM2835_I2C_S); + } diff --git a/queue-4.10/kvm-arm-arm64-let-vcpu-thread-modify-its-own-active-state.patch b/queue-4.10/kvm-arm-arm64-let-vcpu-thread-modify-its-own-active-state.patch new file mode 100644 index 00000000000..201060e47a8 --- /dev/null +++ b/queue-4.10/kvm-arm-arm64-let-vcpu-thread-modify-its-own-active-state.patch @@ -0,0 +1,73 @@ +From 370a0ec1819990f8e2a93df7cc9c0146980ed45f Mon Sep 17 00:00:00 2001 +From: Jintack Lim +Date: Mon, 6 Mar 2017 05:42:37 -0800 +Subject: KVM: arm/arm64: Let vcpu thread modify its own active state + +From: Jintack Lim + +commit 370a0ec1819990f8e2a93df7cc9c0146980ed45f upstream. + +Currently, if a vcpu thread tries to change the active state of an +interrupt which is already on the same vcpu's AP list, it will loop +forever. Since the VGIC mmio handler is called after a vcpu has +already synced back the LR state to the struct vgic_irq, we can just +let it proceed safely. + +Reviewed-by: Marc Zyngier +Signed-off-by: Jintack Lim +Signed-off-by: Christoffer Dall +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/arm/vgic/vgic-mmio.c | 32 ++++++++++++++++++++++++-------- + 1 file changed, 24 insertions(+), 8 deletions(-) + +--- a/virt/kvm/arm/vgic/vgic-mmio.c ++++ b/virt/kvm/arm/vgic/vgic-mmio.c +@@ -187,21 +187,37 @@ unsigned long vgic_mmio_read_active(stru + static void vgic_mmio_change_active(struct kvm_vcpu *vcpu, struct vgic_irq *irq, + bool new_active_state) + { ++ struct kvm_vcpu *requester_vcpu; + spin_lock(&irq->irq_lock); ++ ++ /* ++ * The vcpu parameter here can mean multiple things depending on how ++ * this function is called; when handling a trap from the kernel it ++ * depends on the GIC version, and these functions are also called as ++ * part of save/restore from userspace. ++ * ++ * Therefore, we have to figure out the requester in a reliable way. ++ * ++ * When accessing VGIC state from user space, the requester_vcpu is ++ * NULL, which is fine, because we guarantee that no VCPUs are running ++ * when accessing VGIC state from user space so irq->vcpu->cpu is ++ * always -1. ++ */ ++ requester_vcpu = kvm_arm_get_running_vcpu(); ++ + /* + * If this virtual IRQ was written into a list register, we + * have to make sure the CPU that runs the VCPU thread has +- * synced back LR state to the struct vgic_irq. We can only +- * know this for sure, when either this irq is not assigned to +- * anyone's AP list anymore, or the VCPU thread is not +- * running on any CPUs. ++ * synced back the LR state to the struct vgic_irq. + * +- * In the opposite case, we know the VCPU thread may be on its +- * way back from the guest and still has to sync back this +- * IRQ, so we release and re-acquire the spin_lock to let the +- * other thread sync back the IRQ. ++ * As long as the conditions below are true, we know the VCPU thread ++ * may be on its way back from the guest (we kicked the VCPU thread in ++ * vgic_change_active_prepare) and still has to sync back this IRQ, ++ * so we release and re-acquire the spin_lock to let the other thread ++ * sync back the IRQ. + */ + while (irq->vcpu && /* IRQ may have state in an LR somewhere */ ++ irq->vcpu != requester_vcpu && /* Current thread is not the VCPU thread */ + irq->vcpu->cpu != -1) /* VCPU thread is running */ + cond_resched_lock(&irq->irq_lock); + diff --git a/queue-4.10/kvm-s390-fix-guest-migration-for-huge-guests-resulting-in-panic.patch b/queue-4.10/kvm-s390-fix-guest-migration-for-huge-guests-resulting-in-panic.patch new file mode 100644 index 00000000000..188dfb692c7 --- /dev/null +++ b/queue-4.10/kvm-s390-fix-guest-migration-for-huge-guests-resulting-in-panic.patch @@ -0,0 +1,61 @@ +From 2e4d88009f57057df7672fa69a32b5224af54d37 Mon Sep 17 00:00:00 2001 +From: Janosch Frank +Date: Thu, 2 Mar 2017 15:23:42 +0100 +Subject: KVM: s390: Fix guest migration for huge guests resulting in panic + +From: Janosch Frank + +commit 2e4d88009f57057df7672fa69a32b5224af54d37 upstream. + +While we can technically not run huge page guests right now, we can +setup a guest with huge pages. Trying to migrate it will trigger a +VM_BUG_ON and, if the kernel is not configured to panic on a BUG, it +will happily try to work on non-existing page table entries. + +With this patch, we always return "dirty" if we encounter a large page +when migrating. This at least fixes the immediate problem until we +have proper handling for both kind of pages. + +Fixes: 15f36eb ("KVM: s390: Add proper dirty bitmap support to S390 kvm.") +Signed-off-by: Janosch Frank +Acked-by: Christian Borntraeger +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/mm/pgtable.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +--- a/arch/s390/mm/pgtable.c ++++ b/arch/s390/mm/pgtable.c +@@ -606,12 +606,29 @@ void ptep_zap_key(struct mm_struct *mm, + bool test_and_clear_guest_dirty(struct mm_struct *mm, unsigned long addr) + { + spinlock_t *ptl; ++ pgd_t *pgd; ++ pud_t *pud; ++ pmd_t *pmd; + pgste_t pgste; + pte_t *ptep; + pte_t pte; + bool dirty; + +- ptep = get_locked_pte(mm, addr, &ptl); ++ pgd = pgd_offset(mm, addr); ++ pud = pud_alloc(mm, pgd, addr); ++ if (!pud) ++ return false; ++ pmd = pmd_alloc(mm, pud, addr); ++ if (!pmd) ++ return false; ++ /* We can't run guests backed by huge pages, but userspace can ++ * still set them up and then try to migrate them without any ++ * migration support. ++ */ ++ if (pmd_large(*pmd)) ++ return true; ++ ++ ptep = pte_alloc_map_lock(mm, pmd, addr, &ptl); + if (unlikely(!ptep)) + return false; + diff --git a/queue-4.10/pci-prevent-vpd-access-for-qlogic-isp2722.patch b/queue-4.10/pci-prevent-vpd-access-for-qlogic-isp2722.patch new file mode 100644 index 00000000000..d8083fdff3d --- /dev/null +++ b/queue-4.10/pci-prevent-vpd-access-for-qlogic-isp2722.patch @@ -0,0 +1,79 @@ +From 0d5370d1d85251e5893ab7c90a429464de2e140b Mon Sep 17 00:00:00 2001 +From: Ethan Zhao +Date: Mon, 27 Feb 2017 17:08:44 +0900 +Subject: PCI: Prevent VPD access for QLogic ISP2722 + +From: Ethan Zhao + +commit 0d5370d1d85251e5893ab7c90a429464de2e140b upstream. + +QLogic ISP2722-based 16/32Gb Fibre Channel to PCIe Adapter has the VPD +access issue too, while read the common pci-sysfs access interface shown as + + /sys/devices/pci0000:00/0000:00:03.2/0000:0b:00.0/vpd + +with simple 'cat' could cause system hang and panic: + + Kernel panic - not syncing: An NMI occurred. Depending on your system the reason for the NMI is logged in any one of the following resources: + 1. Integrated Management Log (IML) + 2. OA Syslog + 3. OA Forward Progress Log + 4. iLO Event Log + CPU: 0 PID: 15070 Comm: udevadm Not tainted 4.1.12 + Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 12/27/2015 + 0000000000000086 000000007f0cdf51 ffff880c4fa05d58 ffffffff817193de + ffffffffa00b42d8 0000000000000075 ffff880c4fa05dd8 ffffffff81714072 + 0000000000000008 ffff880c4fa05de8 ffff880c4fa05d88 000000007f0cdf51 + Call Trace: + [] dump_stack+0x63/0x81 + [] panic+0xd0/0x20e + [] hpwdt_pretimeout+0xdd/0xe0 [hpwdt] + [] ? sched_clock+0x9/0x10 + [] nmi_handle+0x91/0x170 + [] ? nmi_handle+0x9c/0x170 + [] io_check_error+0x1e/0xa0 + [] default_do_nmi+0x99/0x140 + [] do_nmi+0xf4/0x170 + [] end_repeat_nmi+0x1a/0x1e + [] ? pci_conf1_read+0xeb/0x120 + [] ? pci_conf1_read+0xeb/0x120 + [] ? pci_conf1_read+0xeb/0x120 + <> [] raw_pci_read+0x23/0x40 + [] pci_read+0x2c/0x30 + [] pci_user_read_config_word+0x72/0x110 + [] pci_vpd_pci22_wait+0x96/0x130 + [] pci_vpd_pci22_read+0xdb/0x1a0 + [] pci_read_vpd+0x20/0x30 + [] read_vpd_attr+0x30/0x40 + [] sysfs_kf_bin_read+0x47/0x70 + [] kernfs_fop_read+0xae/0x180 + [] __vfs_read+0x37/0x100 + [] ? security_file_permission+0x84/0xa0 + [] ? rw_verify_area+0x56/0xe0 + [] vfs_read+0x86/0x140 + [] SyS_read+0x55/0xd0 + [] system_call_fastpath+0x12/0x71 + Shutting down cpus with NMI + Kernel Offset: disabled + drm_kms_helper: panic occurred, switching back to text console + +So blacklist the access to its VPD. + +Signed-off-by: Ethan Zhao +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -2173,6 +2173,7 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LS + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_LSI_LOGIC, 0x005f, quirk_blacklist_vpd); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATTANSIC, PCI_ANY_ID, + quirk_blacklist_vpd); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_QLOGIC, 0x2261, quirk_blacklist_vpd); + + /* + * For Broadcom 5706, 5708, 5709 rev. A nics, any read beyond the diff --git a/queue-4.10/powerpc-booke-fix-boot-crash-due-to-null-hugepd.patch b/queue-4.10/powerpc-booke-fix-boot-crash-due-to-null-hugepd.patch new file mode 100644 index 00000000000..625a061405e --- /dev/null +++ b/queue-4.10/powerpc-booke-fix-boot-crash-due-to-null-hugepd.patch @@ -0,0 +1,63 @@ +From 3fb66a70a4ae886445743354e4b60e54058bb3ff Mon Sep 17 00:00:00 2001 +From: Laurentiu Tudor +Date: Thu, 16 Feb 2017 09:11:29 -0600 +Subject: powerpc/booke: Fix boot crash due to null hugepd + +From: Laurentiu Tudor + +commit 3fb66a70a4ae886445743354e4b60e54058bb3ff upstream. + +On 32-bit book-e machines, hugepd_ok() no longer takes into account null +hugepd values, causing this crash at boot: + + Unable to handle kernel paging request for data at address 0x80000000 + ... + NIP [c0018378] follow_huge_addr+0x38/0xf0 + LR [c001836c] follow_huge_addr+0x2c/0xf0 + Call Trace: + follow_huge_addr+0x2c/0xf0 (unreliable) + follow_page_mask+0x40/0x3e0 + __get_user_pages+0xc8/0x450 + get_user_pages_remote+0x8c/0x250 + copy_strings+0x110/0x390 + copy_strings_kernel+0x2c/0x50 + do_execveat_common+0x478/0x630 + do_execve+0x2c/0x40 + try_to_run_init_process+0x18/0x60 + kernel_init+0xbc/0x110 + ret_from_kernel_thread+0x5c/0x64 + +This impacts all nxp (ex-freescale) 32-bit booke platforms. + +This was caused by the change of hugepd_t.pd from signed to unsigned, +and the update to the nohash version of hugepd_ok(). Previously +hugepd_ok() could exclude all non-huge and NULL pgds using > 0, whereas +now we need to explicitly check that the value is not zero and also that +PD_HUGE is *clear*. + +This isn't protected by the pgd_none() check in __find_linux_pte_or_hugepte() +because on 32-bit we use pgtable-nopud.h, which causes the pgd_none() +check to be always false. + +Fixes: 20717e1ff526 ("powerpc/mm: Fix little-endian 4K hugetlb") +Reported-by: Madalin-Cristian Bucur +Signed-off-by: Laurentiu Tudor +[mpe: Flesh out change log details.] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/nohash/pgtable.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/include/asm/nohash/pgtable.h ++++ b/arch/powerpc/include/asm/nohash/pgtable.h +@@ -230,7 +230,7 @@ static inline int hugepd_ok(hugepd_t hpd + return ((hpd_val(hpd) & 0x4) != 0); + #else + /* We clear the top bit to indicate hugepd */ +- return ((hpd_val(hpd) & PD_HUGE) == 0); ++ return (hpd_val(hpd) && (hpd_val(hpd) & PD_HUGE) == 0); + #endif + } + diff --git a/queue-4.10/powerpc-emulation-support-for-load-store-instructions-on-le.patch b/queue-4.10/powerpc-emulation-support-for-load-store-instructions-on-le.patch new file mode 100644 index 00000000000..6e8d2e8001a --- /dev/null +++ b/queue-4.10/powerpc-emulation-support-for-load-store-instructions-on-le.patch @@ -0,0 +1,110 @@ +From e148bd17f48bd17fca2f4f089ec879fa6e47e34c Mon Sep 17 00:00:00 2001 +From: Ravi Bangoria +Date: Tue, 14 Feb 2017 14:46:42 +0530 +Subject: powerpc: Emulation support for load/store instructions on LE + +From: Ravi Bangoria + +commit e148bd17f48bd17fca2f4f089ec879fa6e47e34c upstream. + +emulate_step() uses a number of underlying kernel functions that were +initially not enabled for LE. This has been rectified since. So, fix +emulate_step() for LE for the corresponding instructions. + +Reported-by: Anton Blanchard +Signed-off-by: Ravi Bangoria +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/lib/sstep.c | 20 -------------------- + 1 file changed, 20 deletions(-) + +--- a/arch/powerpc/lib/sstep.c ++++ b/arch/powerpc/lib/sstep.c +@@ -1799,8 +1799,6 @@ int __kprobes emulate_step(struct pt_reg + goto instr_done; + + case LARX: +- if (regs->msr & MSR_LE) +- return 0; + if (op.ea & (size - 1)) + break; /* can't handle misaligned */ + err = -EFAULT; +@@ -1824,8 +1822,6 @@ int __kprobes emulate_step(struct pt_reg + goto ldst_done; + + case STCX: +- if (regs->msr & MSR_LE) +- return 0; + if (op.ea & (size - 1)) + break; /* can't handle misaligned */ + err = -EFAULT; +@@ -1851,8 +1847,6 @@ int __kprobes emulate_step(struct pt_reg + goto ldst_done; + + case LOAD: +- if (regs->msr & MSR_LE) +- return 0; + err = read_mem(®s->gpr[op.reg], op.ea, size, regs); + if (!err) { + if (op.type & SIGNEXT) +@@ -1864,8 +1858,6 @@ int __kprobes emulate_step(struct pt_reg + + #ifdef CONFIG_PPC_FPU + case LOAD_FP: +- if (regs->msr & MSR_LE) +- return 0; + if (size == 4) + err = do_fp_load(op.reg, do_lfs, op.ea, size, regs); + else +@@ -1874,15 +1866,11 @@ int __kprobes emulate_step(struct pt_reg + #endif + #ifdef CONFIG_ALTIVEC + case LOAD_VMX: +- if (regs->msr & MSR_LE) +- return 0; + err = do_vec_load(op.reg, do_lvx, op.ea & ~0xfUL, regs); + goto ldst_done; + #endif + #ifdef CONFIG_VSX + case LOAD_VSX: +- if (regs->msr & MSR_LE) +- return 0; + err = do_vsx_load(op.reg, do_lxvd2x, op.ea, regs); + goto ldst_done; + #endif +@@ -1905,8 +1893,6 @@ int __kprobes emulate_step(struct pt_reg + goto instr_done; + + case STORE: +- if (regs->msr & MSR_LE) +- return 0; + if ((op.type & UPDATE) && size == sizeof(long) && + op.reg == 1 && op.update_reg == 1 && + !(regs->msr & MSR_PR) && +@@ -1919,8 +1905,6 @@ int __kprobes emulate_step(struct pt_reg + + #ifdef CONFIG_PPC_FPU + case STORE_FP: +- if (regs->msr & MSR_LE) +- return 0; + if (size == 4) + err = do_fp_store(op.reg, do_stfs, op.ea, size, regs); + else +@@ -1929,15 +1913,11 @@ int __kprobes emulate_step(struct pt_reg + #endif + #ifdef CONFIG_ALTIVEC + case STORE_VMX: +- if (regs->msr & MSR_LE) +- return 0; + err = do_vec_store(op.reg, do_stvx, op.ea & ~0xfUL, regs); + goto ldst_done; + #endif + #ifdef CONFIG_VSX + case STORE_VSX: +- if (regs->msr & MSR_LE) +- return 0; + err = do_vsx_store(op.reg, do_stxvd2x, op.ea, regs); + goto ldst_done; + #endif diff --git a/queue-4.10/powerpc-xics-work-around-limitations-of-opal-xics-priority-handling.patch b/queue-4.10/powerpc-xics-work-around-limitations-of-opal-xics-priority-handling.patch new file mode 100644 index 00000000000..4476c3d8798 --- /dev/null +++ b/queue-4.10/powerpc-xics-work-around-limitations-of-opal-xics-priority-handling.patch @@ -0,0 +1,126 @@ +From a69e2fb70350a66f91175cd2625f1e8215c5b6e9 Mon Sep 17 00:00:00 2001 +From: Balbir Singh +Date: Fri, 3 Mar 2017 11:58:44 +1100 +Subject: powerpc/xics: Work around limitations of OPAL XICS priority handling + +From: Balbir Singh + +commit a69e2fb70350a66f91175cd2625f1e8215c5b6e9 upstream. + +The CPPR (Current Processor Priority Register) of a XICS interrupt +presentation controller contains a value N, such that only interrupts +with a priority "more favoured" than N will be received by the CPU, +where "more favoured" means "less than". So if the CPPR has the value 5 +then only interrupts with a priority of 0-4 inclusive will be received. + +In theory the CPPR can support a value of 0 to 255 inclusive. +In practice Linux only uses values of 0, 4, 5 and 0xff. Setting the CPPR +to 0 rejects all interrupts, setting it to 0xff allows all interrupts. +The values 4 and 5 are used to differentiate IPIs from external +interrupts. Setting the CPPR to 5 allows IPIs to be received but not +external interrupts. + +The CPPR emulation in the OPAL XICS implementation only directly +supports priorities 0 and 0xff. All other priorities are considered +equivalent, and mapped to a single priority value internally. This means +when using icp-opal we can not allow IPIs but not externals. + +This breaks Linux's use of priority values when a CPU is hot unplugged. +After migrating IRQs away from the CPU that is being offlined, we set +the priority to 5, meaning we still want the offline CPU to receive +IPIs. But the effect of the OPAL XICS emulation's use of a single +priority value is that all interrupts are rejected by the CPU. With the +CPU offline, and not receiving IPIs, we may not be able to wake it up to +bring it back online. + +The first part of the fix is in icp_opal_set_cpu_priority(). CPPR values +of 0 to 4 inclusive will correctly cause all interrupts to be rejected, +so we pass those CPPR values through to OPAL. However if we are called +with a CPPR of 5 or greater, the caller is expecting to be able to allow +IPIs but not external interrupts. We know this doesn't work, so instead +of rejecting all interrupts we choose the opposite which is to allow all +interrupts. This is still not correct behaviour, but we know for the +only existing caller (xics_migrate_irqs_away()), that it is the better +option. + +The other part of the fix is in xics_migrate_irqs_away(). Instead of +setting priority (CPPR) to 0, and then back to 5 before migrating IRQs, +we migrate the IRQs before setting the priority back to 5. This should +have no effect on an ICP backend with a working set_priority(), and on +icp-opal it means we will keep all interrupts blocked until after we've +finished doing the IRQ migration. Additionally we wait for 5ms after +doing the migration to make sure there are no IRQs in flight. + +Fixes: d74361881f0d ("powerpc/xics: Add ICP OPAL backend") +Suggested-by: Michael Ellerman +Reported-by: Vaidyanathan Srinivasan +Tested-by: Vaidyanathan Srinivasan +Signed-off-by: Balbir Singh +[mpe: Rewrote comments and change log, change delay to 5ms] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/sysdev/xics/icp-opal.c | 10 ++++++++++ + arch/powerpc/sysdev/xics/xics-common.c | 17 ++++++++++++++--- + 2 files changed, 24 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/sysdev/xics/icp-opal.c ++++ b/arch/powerpc/sysdev/xics/icp-opal.c +@@ -91,6 +91,16 @@ static unsigned int icp_opal_get_irq(voi + + static void icp_opal_set_cpu_priority(unsigned char cppr) + { ++ /* ++ * Here be dragons. The caller has asked to allow only IPI's and not ++ * external interrupts. But OPAL XIVE doesn't support that. So instead ++ * of allowing no interrupts allow all. That's still not right, but ++ * currently the only caller who does this is xics_migrate_irqs_away() ++ * and it works in that case. ++ */ ++ if (cppr >= DEFAULT_PRIORITY) ++ cppr = LOWEST_PRIORITY; ++ + xics_set_base_cppr(cppr); + opal_int_set_cppr(cppr); + iosync(); +--- a/arch/powerpc/sysdev/xics/xics-common.c ++++ b/arch/powerpc/sysdev/xics/xics-common.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -198,9 +199,6 @@ void xics_migrate_irqs_away(void) + /* Remove ourselves from the global interrupt queue */ + xics_set_cpu_giq(xics_default_distrib_server, 0); + +- /* Allow IPIs again... */ +- icp_ops->set_priority(DEFAULT_PRIORITY); +- + for_each_irq_desc(virq, desc) { + struct irq_chip *chip; + long server; +@@ -255,6 +253,19 @@ void xics_migrate_irqs_away(void) + unlock: + raw_spin_unlock_irqrestore(&desc->lock, flags); + } ++ ++ /* Allow "sufficient" time to drop any inflight IRQ's */ ++ mdelay(5); ++ ++ /* ++ * Allow IPIs again. This is done at the very end, after migrating all ++ * interrupts, the expectation is that we'll only get woken up by an IPI ++ * interrupt beyond this point, but leave externals masked just to be ++ * safe. If we're using icp-opal this may actually allow all ++ * interrupts anyway, but that should be OK. ++ */ ++ icp_ops->set_priority(DEFAULT_PRIORITY); ++ + } + #endif /* CONFIG_HOTPLUG_CPU */ + diff --git a/queue-4.10/revert-usb-gadget-uvc-add-missing-call-for-additional-setup-data.patch b/queue-4.10/revert-usb-gadget-uvc-add-missing-call-for-additional-setup-data.patch new file mode 100644 index 00000000000..23e53aaeba3 --- /dev/null +++ b/queue-4.10/revert-usb-gadget-uvc-add-missing-call-for-additional-setup-data.patch @@ -0,0 +1,48 @@ +From eb38d913c27f32f4df173791051fecf6aca34173 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Thu, 2 Mar 2017 10:44:58 +0200 +Subject: Revert "usb: gadget: uvc: Add missing call for additional setup data" + +From: Roger Quadros + +commit eb38d913c27f32f4df173791051fecf6aca34173 upstream. + +This reverts commit 4fbac5206afd01b717d4bdc58793d471f3391b4b. + +This commit breaks g_webcam when used with uvc-gadget [1]. + +The user space application (e.g. uvc-gadget) is responsible for +sending response to UVC class specific requests on control endpoint +in uvc_send_response() in uvc_v4l2.c. + +The bad commit was causing a duplicate response to be sent with +incorrect response data thus causing UVC probe to fail at the host +and broken control transfer endpoint at the gadget. + +[1] - git://git.ideasonboard.org/uvc-gadget.git + +Acked-by: Laurent Pinchart +Signed-off-by: Roger Quadros +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_uvc.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/usb/gadget/function/f_uvc.c ++++ b/drivers/usb/gadget/function/f_uvc.c +@@ -258,13 +258,6 @@ uvc_function_setup(struct usb_function * + memcpy(&uvc_event->req, ctrl, sizeof(uvc_event->req)); + v4l2_event_queue(&uvc->vdev, &v4l2_event); + +- /* Pass additional setup data to userspace */ +- if (uvc->event_setup_out && uvc->event_length) { +- uvc->control_req->length = uvc->event_length; +- return usb_ep_queue(uvc->func.config->cdev->gadget->ep0, +- uvc->control_req, GFP_ATOMIC); +- } +- + return 0; + } + diff --git a/queue-4.10/serial-samsung-continue-to-work-if-dma-request-fails.patch b/queue-4.10/serial-samsung-continue-to-work-if-dma-request-fails.patch new file mode 100644 index 00000000000..bc196e06bea --- /dev/null +++ b/queue-4.10/serial-samsung-continue-to-work-if-dma-request-fails.patch @@ -0,0 +1,49 @@ +From f98c7bce570bdbe344b74ff5daa7dfeef3f22929 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Sat, 25 Feb 2017 18:36:44 +0200 +Subject: serial: samsung: Continue to work if DMA request fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Kozlowski + +commit f98c7bce570bdbe344b74ff5daa7dfeef3f22929 upstream. + +If DMA is not available (even when configured in DeviceTree), the driver +will fail the startup procedure thus making serial console not +available. + +For example this causes boot failure on QEMU ARMv7 (Exynos4210, SMDKC210): + [    1.302575] OF: amba_device_add() failed (-19) for /amba/pdma@12680000 + ... + [   11.435732] samsung-uart 13800000.serial: DMA request failed + [   72.963893] samsung-uart 13800000.serial: DMA request failed + [   73.143361] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000000 + +DMA is not necessary for serial to work, so continue with UART startup +after emitting a warning. + +Fixes: 62c37eedb74c ("serial: samsung: add dma reqest/release functions") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/samsung.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1036,8 +1036,10 @@ static int s3c64xx_serial_startup(struct + if (ourport->dma) { + ret = s3c24xx_serial_request_dma(ourport); + if (ret < 0) { +- dev_warn(port->dev, "DMA request failed\n"); +- return ret; ++ dev_warn(port->dev, ++ "DMA request failed, DMA will not be used\n"); ++ devm_kfree(port->dev, ourport->dma); ++ ourport->dma = NULL; + } + } + diff --git a/queue-4.10/series b/queue-4.10/series index bf5b8c43458..e33fe3427bf 100644 --- a/queue-4.10/series +++ b/queue-4.10/series @@ -13,3 +13,31 @@ mtd-pmcmsp-use-kstrndup-instead-of-kmalloc-strncpy.patch mips-ralink-cosmetic-change-to-prom_init.patch mips-ralink-remove-unused-timer-functions.patch mips-ralink-remove-unused-rt-_wdt_reset-functions.patch +i2c-bcm2835-avoid-possible-null-ptr-dereference.patch +tracing-add-undef-to-fix-compile-error.patch +ucount-remove-the-atomicity-from-ucount-count.patch +efi-arm-fix-boot-crash-with-config_cpumask_offstack-y.patch +dw2102-don-t-do-dma-on-stack.patch +i2c-add-missing-of_node_put-in-i2c_mux_del_adapters.patch +powerpc-emulation-support-for-load-store-instructions-on-le.patch +powerpc-booke-fix-boot-crash-due-to-null-hugepd.patch +powerpc-xics-work-around-limitations-of-opal-xics-priority-handling.patch +pci-prevent-vpd-access-for-qlogic-isp2722.patch +usb-gadget-dummy_hcd-clear-usb_gadget-region-before-registration.patch +usb-dwc3-gadget-make-set-endpoint-configuration-macros-safe.patch +usb-dwc3-omap-fix-missing-break-in-dwc3_omap_set_mailbox.patch +usb-ohci-at91-do-not-drop-unhandled-usb-suspend-control-requests.patch +usb-gadget-function-f_fs-pass-companion-descriptor-along.patch +revert-usb-gadget-uvc-add-missing-call-for-additional-setup-data.patch +usb-host-xhci-dbg-hciversion-should-be-a-binary-number.patch +usb-host-xhci-plat-fix-timeout-on-removal-of-hot-pluggable-xhci-controllers.patch +usb-serial-safe_serial-fix-information-leak-in-completion-handler.patch +usb-serial-omninet-fix-reference-leaks-at-open.patch +usb-iowarrior-fix-null-deref-at-probe.patch +usb-iowarrior-fix-null-deref-in-write.patch +usb-serial-io_ti-fix-null-deref-in-interrupt-callback.patch +usb-serial-io_ti-fix-information-leak-in-completion-handler.patch +serial-samsung-continue-to-work-if-dma-request-fails.patch +kvm-s390-fix-guest-migration-for-huge-guests-resulting-in-panic.patch +kvm-arm-arm64-let-vcpu-thread-modify-its-own-active-state.patch +drm-i915-gvt-fix-superfluous-newline-in-gvt_display_ready-env-var.patch diff --git a/queue-4.10/tracing-add-undef-to-fix-compile-error.patch b/queue-4.10/tracing-add-undef-to-fix-compile-error.patch new file mode 100644 index 00000000000..94914075d1f --- /dev/null +++ b/queue-4.10/tracing-add-undef-to-fix-compile-error.patch @@ -0,0 +1,39 @@ +From bf7165cfa23695c51998231c4efa080fe1d3548d Mon Sep 17 00:00:00 2001 +From: Rik van Riel +Date: Wed, 28 Sep 2016 22:55:54 -0400 +Subject: tracing: Add #undef to fix compile error + +From: Rik van Riel + +commit bf7165cfa23695c51998231c4efa080fe1d3548d upstream. + +There are several trace include files that define TRACE_INCLUDE_FILE. + +Include several of them in the same .c file (as I currently have in +some code I am working on), and the compile will blow up with a +"warning: "TRACE_INCLUDE_FILE" redefined #define TRACE_INCLUDE_FILE syscalls" + +Every other include file in include/trace/events/ avoids that issue +by having a #undef TRACE_INCLUDE_FILE before the #define; syscalls.h +should have one, too. + +Link: http://lkml.kernel.org/r/20160928225554.13bd7ac6@annuminas.surriel.com + +Fixes: b8007ef74222 ("tracing: Separate raw syscall from syscall tracer") +Signed-off-by: Rik van Riel +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + include/trace/events/syscalls.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/trace/events/syscalls.h ++++ b/include/trace/events/syscalls.h +@@ -1,5 +1,6 @@ + #undef TRACE_SYSTEM + #define TRACE_SYSTEM raw_syscalls ++#undef TRACE_INCLUDE_FILE + #define TRACE_INCLUDE_FILE syscalls + + #if !defined(_TRACE_EVENTS_SYSCALLS_H) || defined(TRACE_HEADER_MULTI_READ) diff --git a/queue-4.10/ucount-remove-the-atomicity-from-ucount-count.patch b/queue-4.10/ucount-remove-the-atomicity-from-ucount-count.patch new file mode 100644 index 00000000000..f7f740d611f --- /dev/null +++ b/queue-4.10/ucount-remove-the-atomicity-from-ucount-count.patch @@ -0,0 +1,87 @@ +From 040757f738e13caaa9c5078bca79aa97e11dde88 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Sun, 5 Mar 2017 15:03:22 -0600 +Subject: ucount: Remove the atomicity from ucount->count + +From: Eric W. Biederman + +commit 040757f738e13caaa9c5078bca79aa97e11dde88 upstream. + +Always increment/decrement ucount->count under the ucounts_lock. The +increments are there already and moving the decrements there means the +locking logic of the code is simpler. This simplification in the +locking logic fixes a race between put_ucounts and get_ucounts that +could result in a use-after-free because the count could go zero then +be found by get_ucounts and then be freed by put_ucounts. + +A bug presumably this one was found by a combination of syzkaller and +KASAN. JongWhan Kim reported the syzkaller failure and Dmitry Vyukov +spotted the race in the code. + +Fixes: f6b2db1a3e8d ("userns: Make the count of user namespaces per user") +Reported-by: JongHwan Kim +Reported-by: Dmitry Vyukov +Reviewed-by: Andrei Vagin +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/user_namespace.h | 2 +- + kernel/ucount.c | 18 +++++++++++------- + 2 files changed, 12 insertions(+), 8 deletions(-) + +--- a/include/linux/user_namespace.h ++++ b/include/linux/user_namespace.h +@@ -65,7 +65,7 @@ struct ucounts { + struct hlist_node node; + struct user_namespace *ns; + kuid_t uid; +- atomic_t count; ++ int count; + atomic_t ucount[UCOUNT_COUNTS]; + }; + +--- a/kernel/ucount.c ++++ b/kernel/ucount.c +@@ -139,7 +139,7 @@ static struct ucounts *get_ucounts(struc + + new->ns = ns; + new->uid = uid; +- atomic_set(&new->count, 0); ++ new->count = 0; + + spin_lock_irq(&ucounts_lock); + ucounts = find_ucounts(ns, uid, hashent); +@@ -150,8 +150,10 @@ static struct ucounts *get_ucounts(struc + ucounts = new; + } + } +- if (!atomic_add_unless(&ucounts->count, 1, INT_MAX)) ++ if (ucounts->count == INT_MAX) + ucounts = NULL; ++ else ++ ucounts->count += 1; + spin_unlock_irq(&ucounts_lock); + return ucounts; + } +@@ -160,13 +162,15 @@ static void put_ucounts(struct ucounts * + { + unsigned long flags; + +- if (atomic_dec_and_test(&ucounts->count)) { +- spin_lock_irqsave(&ucounts_lock, flags); ++ spin_lock_irqsave(&ucounts_lock, flags); ++ ucounts->count -= 1; ++ if (!ucounts->count) + hlist_del_init(&ucounts->node); +- spin_unlock_irqrestore(&ucounts_lock, flags); ++ else ++ ucounts = NULL; ++ spin_unlock_irqrestore(&ucounts_lock, flags); + +- kfree(ucounts); +- } ++ kfree(ucounts); + } + + static inline bool atomic_inc_below(atomic_t *v, int u) diff --git a/queue-4.10/usb-dwc3-gadget-make-set-endpoint-configuration-macros-safe.patch b/queue-4.10/usb-dwc3-gadget-make-set-endpoint-configuration-macros-safe.patch new file mode 100644 index 00000000000..b1de3010b03 --- /dev/null +++ b/queue-4.10/usb-dwc3-gadget-make-set-endpoint-configuration-macros-safe.patch @@ -0,0 +1,61 @@ +From 7369090a9fb57c3fc705ce355d2e4523a5a24716 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Tue, 31 Jan 2017 13:24:54 +0200 +Subject: usb: dwc3: gadget: make Set Endpoint Configuration macros safe + +From: Felipe Balbi + +commit 7369090a9fb57c3fc705ce355d2e4523a5a24716 upstream. + +Some gadget drivers are bad, bad boys. We notice +that ADB was passing bad Burst Size which caused top +bits of param0 to be overwritten which confused DWC3 +when running this command. + +In order to avoid future issues, we're going to make +sure values passed by macros are always safe for the +controller. Note that ADB still needs a fix to *not* +pass bad values. + +Reported-by: Mohamed Abbas +Sugested-by: Adam Andruszak +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.h | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/usb/dwc3/gadget.h ++++ b/drivers/usb/dwc3/gadget.h +@@ -28,23 +28,23 @@ struct dwc3; + #define gadget_to_dwc(g) (container_of(g, struct dwc3, gadget)) + + /* DEPCFG parameter 1 */ +-#define DWC3_DEPCFG_INT_NUM(n) ((n) << 0) ++#define DWC3_DEPCFG_INT_NUM(n) (((n) & 0x1f) << 0) + #define DWC3_DEPCFG_XFER_COMPLETE_EN (1 << 8) + #define DWC3_DEPCFG_XFER_IN_PROGRESS_EN (1 << 9) + #define DWC3_DEPCFG_XFER_NOT_READY_EN (1 << 10) + #define DWC3_DEPCFG_FIFO_ERROR_EN (1 << 11) + #define DWC3_DEPCFG_STREAM_EVENT_EN (1 << 13) +-#define DWC3_DEPCFG_BINTERVAL_M1(n) ((n) << 16) ++#define DWC3_DEPCFG_BINTERVAL_M1(n) (((n) & 0xff) << 16) + #define DWC3_DEPCFG_STREAM_CAPABLE (1 << 24) +-#define DWC3_DEPCFG_EP_NUMBER(n) ((n) << 25) ++#define DWC3_DEPCFG_EP_NUMBER(n) (((n) & 0x1f) << 25) + #define DWC3_DEPCFG_BULK_BASED (1 << 30) + #define DWC3_DEPCFG_FIFO_BASED (1 << 31) + + /* DEPCFG parameter 0 */ +-#define DWC3_DEPCFG_EP_TYPE(n) ((n) << 1) +-#define DWC3_DEPCFG_MAX_PACKET_SIZE(n) ((n) << 3) +-#define DWC3_DEPCFG_FIFO_NUMBER(n) ((n) << 17) +-#define DWC3_DEPCFG_BURST_SIZE(n) ((n) << 22) ++#define DWC3_DEPCFG_EP_TYPE(n) (((n) & 0x3) << 1) ++#define DWC3_DEPCFG_MAX_PACKET_SIZE(n) (((n) & 0x7ff) << 3) ++#define DWC3_DEPCFG_FIFO_NUMBER(n) (((n) & 0x1f) << 17) ++#define DWC3_DEPCFG_BURST_SIZE(n) (((n) & 0xf) << 22) + #define DWC3_DEPCFG_DATA_SEQ_NUM(n) ((n) << 26) + /* This applies for core versions earlier than 1.94a */ + #define DWC3_DEPCFG_IGN_SEQ_NUM (1 << 31) diff --git a/queue-4.10/usb-dwc3-omap-fix-missing-break-in-dwc3_omap_set_mailbox.patch b/queue-4.10/usb-dwc3-omap-fix-missing-break-in-dwc3_omap_set_mailbox.patch new file mode 100644 index 00000000000..cc643087322 --- /dev/null +++ b/queue-4.10/usb-dwc3-omap-fix-missing-break-in-dwc3_omap_set_mailbox.patch @@ -0,0 +1,32 @@ +From 0913750f9fb6f26bcd00c8f9dd9a8d1b8d031246 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Wed, 15 Feb 2017 13:38:22 +0200 +Subject: usb: dwc3-omap: Fix missing break in dwc3_omap_set_mailbox() + +From: Roger Quadros + +commit 0913750f9fb6f26bcd00c8f9dd9a8d1b8d031246 upstream. + +We need to break from all cases if we want to treat +each one of them separately. + +Reported-by: Gustavo A. R. Silva +Fixes: d2728fb3e01f ("usb: dwc3: omap: Pass VBUS and ID events transparently") +Signed-off-by: Roger Quadros +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/dwc3-omap.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/dwc3/dwc3-omap.c ++++ b/drivers/usb/dwc3/dwc3-omap.c +@@ -250,6 +250,7 @@ static void dwc3_omap_set_mailbox(struct + val = dwc3_omap_read_utmi_ctrl(omap); + val |= USBOTGSS_UTMI_OTG_CTRL_IDDIG; + dwc3_omap_write_utmi_ctrl(omap, val); ++ break; + + case OMAP_DWC3_VBUS_OFF: + val = dwc3_omap_read_utmi_ctrl(omap); diff --git a/queue-4.10/usb-gadget-dummy_hcd-clear-usb_gadget-region-before-registration.patch b/queue-4.10/usb-gadget-dummy_hcd-clear-usb_gadget-region-before-registration.patch new file mode 100644 index 00000000000..79bc11b3082 --- /dev/null +++ b/queue-4.10/usb-gadget-dummy_hcd-clear-usb_gadget-region-before-registration.patch @@ -0,0 +1,81 @@ +From 5bbc852676ae08e818241cf66a3ffe4be44225c4 Mon Sep 17 00:00:00 2001 +From: Peter Chen +Date: Tue, 28 Feb 2017 14:25:45 +0800 +Subject: usb: gadget: dummy_hcd: clear usb_gadget region before registration + +From: Peter Chen + +commit 5bbc852676ae08e818241cf66a3ffe4be44225c4 upstream. + +When the user does device unbind and rebind test, the kernel will +show below dump due to usb_gadget memory region is dirty after unbind. +Clear usb_gadget region for every new probe. + +root@imx6qdlsolo:/sys/bus/platform/drivers/dummy_udc# echo dummy_udc.0 > bind +[ 102.523312] kobject (eddd78b0): tried to init an initialized object, something is seriously wrong. +[ 102.532447] CPU: 0 PID: 734 Comm: sh Not tainted 4.10.0-rc7-00872-g1b2b8e9 #1298 +[ 102.539866] Hardware name: Freescale i.MX6 SoloX (Device Tree) +[ 102.545717] Backtrace: +[ 102.548225] [] (dump_backtrace) from [] (show_stack+0x18/0x1c) +[ 102.555822] r7:ede34000 r6:60010013 r5:00000000 r4:c0f29418 +[ 102.561512] [] (show_stack) from [] (dump_stack+0xb4/0xe8) +[ 102.568764] [] (dump_stack) from [] (kobject_init+0x80/0x9c) +[ 102.576187] r10:0000001f r9:eddd7000 r8:eeaf8c10 r7:eddd78a8 r6:c177891c r5:c0f3b060 +[ 102.584036] r4:eddd78b0 r3:00000000 +[ 102.587641] [] (kobject_init) from [] (device_initialize+0x28/0xf8) +[ 102.595665] r5:eebc4800 r4:eddd78a8 +[ 102.599268] [] (device_initialize) from [] (device_register+0x14/0x20) +[ 102.607556] r7:eddd78a8 r6:00000000 r5:eebc4800 r4:eddd78a8 +[ 102.613256] [] (device_register) from [] (usb_add_gadget_udc_release+0x8c/0x1ec) +[ 102.622410] r5:eebc4800 r4:eddd7860 +[ 102.626015] [] (usb_add_gadget_udc_release) from [] (usb_add_gadget_udc+0x14/0x18) +[ 102.635351] r10:0000001f r9:eddd7000 r8:eddd788c r7:bf003770 r6:eddd77f8 r5:eddd7818 +[ 102.643198] r4:eddd785c r3:eddd7b24 +[ 102.646834] [] (usb_add_gadget_udc) from [] (dummy_udc_probe+0x170/0x1c4 [dummy_hcd]) +[ 102.656458] [] (dummy_udc_probe [dummy_hcd]) from [] (platform_drv_probe+0x54/0xb8) +[ 102.665881] r10:00000008 r9:c1778960 r8:bf004128 r7:fffffdfb r6:bf004128 r5:eeaf8c10 +[ 102.673727] r4:eeaf8c10 +[ 102.676293] [] (platform_drv_probe) from [] (driver_probe_device+0x264/0x474) +[ 102.685186] r7:00000000 r6:00000000 r5:c1778960 r4:eeaf8c10 +[ 102.690876] [] (driver_probe_device) from [] (bind_store+0xb8/0x14c) +[ 102.698994] r10:eeb3bb4c r9:ede34000 r8:0000000c r7:eeaf8c44 r6:bf004128 r5:c0f3b668 +[ 102.706840] r4:eeaf8c10 +[ 102.709402] [] (bind_store) from [] (drv_attr_store+0x28/0x34) +[ 102.716998] r9:ede34000 r8:00000000 r7:ee3863c0 r6:ee3863c0 r5:c0538c80 r4:c053970c +[ 102.724776] [] (drv_attr_store) from [] (sysfs_kf_write+0x50/0x54) +[ 102.732711] r5:c0538c80 r4:0000000c +[ 102.736313] [] (sysfs_kf_write) from [] (kernfs_fop_write+0x100/0x214) +[ 102.744599] r7:ee3863c0 r6:eeb3bb40 r5:00000000 r4:00000000 +[ 102.750287] [] (kernfs_fop_write) from [] (__vfs_write+0x34/0x120) +[ 102.758231] r10:00000000 r9:ede34000 r8:c0108bc4 r7:0000000c r6:ede35f80 r5:c029bd84 +[ 102.766077] r4:ee223780 +[ 102.768638] [] (__vfs_write) from [] (vfs_write+0xa8/0x170) +[ 102.775974] r9:ede34000 r8:c0108bc4 r7:ede35f80 r6:01861cb0 r5:ee223780 r4:0000000c +[ 102.783743] [] (vfs_write) from [] (SyS_write+0x4c/0xa8) +[ 102.790818] r9:ede34000 r8:c0108bc4 r7:0000000c r6:01861cb0 r5:ee223780 r4:ee223780 +[ 102.798595] [] (SyS_write) from [] (ret_fast_syscall+0x0/0x1c) +[ 102.806188] r7:00000004 r6:b6e83d58 r5:01861cb0 r4:0000000c + +Fixes: 90fccb529d24 ("usb: gadget: Gadget directory cleanup - group UDC drivers") +Acked-by: Alan Stern +Signed-off-by: Peter Chen +Tested-by: Xiaolong Ye +Reported-by: Fengguang Wu +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/dummy_hcd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/gadget/udc/dummy_hcd.c ++++ b/drivers/usb/gadget/udc/dummy_hcd.c +@@ -1031,6 +1031,8 @@ static int dummy_udc_probe(struct platfo + int rc; + + dum = *((void **)dev_get_platdata(&pdev->dev)); ++ /* Clear usb_gadget region for new registration to udc-core */ ++ memzero_explicit(&dum->gadget, sizeof(struct usb_gadget)); + dum->gadget.name = gadget_name; + dum->gadget.ops = &dummy_ops; + dum->gadget.max_speed = USB_SPEED_SUPER; diff --git a/queue-4.10/usb-gadget-function-f_fs-pass-companion-descriptor-along.patch b/queue-4.10/usb-gadget-function-f_fs-pass-companion-descriptor-along.patch new file mode 100644 index 00000000000..6385c0f420b --- /dev/null +++ b/queue-4.10/usb-gadget-function-f_fs-pass-companion-descriptor-along.patch @@ -0,0 +1,57 @@ +From 2bfa0719ac2a9b2f3c91345873d3cdebd0296ba9 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Tue, 31 Jan 2017 14:54:45 +0200 +Subject: usb: gadget: function: f_fs: pass companion descriptor along + +From: Felipe Balbi + +commit 2bfa0719ac2a9b2f3c91345873d3cdebd0296ba9 upstream. + +If we're dealing with SuperSpeed endpoints, we need +to make sure to pass along the companion descriptor +and initialize fields needed by the Gadget +API. Eventually, f_fs.c should be converted to use +config_ep_by_speed() like all other functions, +though. + +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_fs.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1833,11 +1833,14 @@ static int ffs_func_eps_enable(struct ff + spin_lock_irqsave(&func->ffs->eps_lock, flags); + while(count--) { + struct usb_endpoint_descriptor *ds; ++ struct usb_ss_ep_comp_descriptor *comp_desc = NULL; ++ int needs_comp_desc = false; + int desc_idx; + +- if (ffs->gadget->speed == USB_SPEED_SUPER) ++ if (ffs->gadget->speed == USB_SPEED_SUPER) { + desc_idx = 2; +- else if (ffs->gadget->speed == USB_SPEED_HIGH) ++ needs_comp_desc = true; ++ } else if (ffs->gadget->speed == USB_SPEED_HIGH) + desc_idx = 1; + else + desc_idx = 0; +@@ -1854,6 +1857,14 @@ static int ffs_func_eps_enable(struct ff + + ep->ep->driver_data = ep; + ep->ep->desc = ds; ++ ++ comp_desc = (struct usb_ss_ep_comp_descriptor *)(ds + ++ USB_DT_ENDPOINT_SIZE); ++ ep->ep->maxburst = comp_desc->bMaxBurst + 1; ++ ++ if (needs_comp_desc) ++ ep->ep->comp_desc = comp_desc; ++ + ret = usb_ep_enable(ep->ep); + if (likely(!ret)) { + epfile->ep = ep; diff --git a/queue-4.10/usb-host-xhci-dbg-hciversion-should-be-a-binary-number.patch b/queue-4.10/usb-host-xhci-dbg-hciversion-should-be-a-binary-number.patch new file mode 100644 index 00000000000..c04d2407adc --- /dev/null +++ b/queue-4.10/usb-host-xhci-dbg-hciversion-should-be-a-binary-number.patch @@ -0,0 +1,34 @@ +From f95e60a7dbecd2de816bb3ad517b3d4fbc20b507 Mon Sep 17 00:00:00 2001 +From: Peter Chen +Date: Thu, 9 Mar 2017 15:39:36 +0200 +Subject: usb: host: xhci-dbg: HCIVERSION should be a binary number + +From: Peter Chen + +commit f95e60a7dbecd2de816bb3ad517b3d4fbc20b507 upstream. + +According to xHCI spec, HCIVERSION containing a BCD encoding +of the xHCI specification revision number, 0100h corresponds +to xHCI version 1.0. Change "100" as "0x100". + +Cc: Lu Baolu +Fixes: 04abb6de2825 ("xhci: Read and parse new xhci 1.1 capability register") +Signed-off-by: Peter Chen +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-dbg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-dbg.c ++++ b/drivers/usb/host/xhci-dbg.c +@@ -111,7 +111,7 @@ static void xhci_print_cap_regs(struct x + xhci_dbg(xhci, "RTSOFF 0x%x:\n", temp & RTSOFF_MASK); + + /* xhci 1.1 controllers have the HCCPARAMS2 register */ +- if (hci_version > 100) { ++ if (hci_version > 0x100) { + temp = readl(&xhci->cap_regs->hcc_params2); + xhci_dbg(xhci, "HCC PARAMS2 0x%x:\n", (unsigned int) temp); + xhci_dbg(xhci, " HC %s Force save context capability", diff --git a/queue-4.10/usb-host-xhci-plat-fix-timeout-on-removal-of-hot-pluggable-xhci-controllers.patch b/queue-4.10/usb-host-xhci-plat-fix-timeout-on-removal-of-hot-pluggable-xhci-controllers.patch new file mode 100644 index 00000000000..3b5fd33d990 --- /dev/null +++ b/queue-4.10/usb-host-xhci-plat-fix-timeout-on-removal-of-hot-pluggable-xhci-controllers.patch @@ -0,0 +1,42 @@ +From dcc7620cad5ad1326a78f4031a7bf4f0e5b42984 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Thu, 9 Mar 2017 15:39:37 +0200 +Subject: usb: host: xhci-plat: Fix timeout on removal of hot pluggable xhci controllers + +From: Guenter Roeck + +commit dcc7620cad5ad1326a78f4031a7bf4f0e5b42984 upstream. + +Upstream commit 98d74f9ceaef ("xhci: fix 10 second timeout on removal of +PCI hotpluggable xhci controllers") fixes a problem with hot pluggable PCI +xhci controllers which can result in excessive timeouts, to the point where +the system reports a deadlock. + +The same problem is seen with hot pluggable xhci controllers using the +xhci-plat driver, such as the driver used for Type-C ports on rk3399. +Similar to hot-pluggable PCI controllers, the driver for this chip +removes the xhci controller from the system when the Type-C cable is +disconnected. + +The solution for PCI devices works just as well for non-PCI devices +and avoids the problem. + +Signed-off-by: Guenter Roeck +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-plat.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -283,6 +283,8 @@ static int xhci_plat_remove(struct platf + struct xhci_hcd *xhci = hcd_to_xhci(hcd); + struct clk *clk = xhci->clk; + ++ xhci->xhc_state |= XHCI_STATE_REMOVING; ++ + usb_remove_hcd(xhci->shared_hcd); + usb_phy_shutdown(hcd->usb_phy); + diff --git a/queue-4.10/usb-iowarrior-fix-null-deref-at-probe.patch b/queue-4.10/usb-iowarrior-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..7f0616ae0fc --- /dev/null +++ b/queue-4.10/usb-iowarrior-fix-null-deref-at-probe.patch @@ -0,0 +1,55 @@ +From b7321e81fc369abe353cf094d4f0dc2fe11ab95f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 7 Mar 2017 16:11:03 +0100 +Subject: USB: iowarrior: fix NULL-deref at probe + +From: Johan Hovold + +commit b7321e81fc369abe353cf094d4f0dc2fe11ab95f upstream. + +Make sure to check for the required interrupt-in endpoint to avoid +dereferencing a NULL-pointer should a malicious device lack such an +endpoint. + +Note that a fairly recent change purported to fix this issue, but added +an insufficient test on the number of endpoints only, a test which can +now be removed. + +Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors") +Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/iowarrior.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -781,12 +781,6 @@ static int iowarrior_probe(struct usb_in + iface_desc = interface->cur_altsetting; + dev->product_id = le16_to_cpu(udev->descriptor.idProduct); + +- if (iface_desc->desc.bNumEndpoints < 1) { +- dev_err(&interface->dev, "Invalid number of endpoints\n"); +- retval = -EINVAL; +- goto error; +- } +- + /* set up the endpoint information */ + for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { + endpoint = &iface_desc->endpoint[i].desc; +@@ -797,6 +791,13 @@ static int iowarrior_probe(struct usb_in + /* this one will match for the IOWarrior56 only */ + dev->int_out_endpoint = endpoint; + } ++ ++ if (!dev->int_in_endpoint) { ++ dev_err(&interface->dev, "no interrupt-in endpoint found\n"); ++ retval = -ENODEV; ++ goto error; ++ } ++ + /* we have to check the report_size often, so remember it in the endianness suitable for our machine */ + dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint); + if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) && diff --git a/queue-4.10/usb-iowarrior-fix-null-deref-in-write.patch b/queue-4.10/usb-iowarrior-fix-null-deref-in-write.patch new file mode 100644 index 00000000000..7bae57124e3 --- /dev/null +++ b/queue-4.10/usb-iowarrior-fix-null-deref-in-write.patch @@ -0,0 +1,38 @@ +From de46e56653de7b3b54baa625bd582635008b8d05 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 7 Mar 2017 16:11:04 +0100 +Subject: USB: iowarrior: fix NULL-deref in write + +From: Johan Hovold + +commit de46e56653de7b3b54baa625bd582635008b8d05 upstream. + +Make sure to verify that we have the required interrupt-out endpoint for +IOWarrior56 devices to avoid dereferencing a NULL-pointer in write +should a malicious device lack such an endpoint. + +Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/iowarrior.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -798,6 +798,14 @@ static int iowarrior_probe(struct usb_in + goto error; + } + ++ if (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56) { ++ if (!dev->int_out_endpoint) { ++ dev_err(&interface->dev, "no interrupt-out endpoint found\n"); ++ retval = -ENODEV; ++ goto error; ++ } ++ } ++ + /* we have to check the report_size often, so remember it in the endianness suitable for our machine */ + dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint); + if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) && diff --git a/queue-4.10/usb-ohci-at91-do-not-drop-unhandled-usb-suspend-control-requests.patch b/queue-4.10/usb-ohci-at91-do-not-drop-unhandled-usb-suspend-control-requests.patch new file mode 100644 index 00000000000..b8b841c052e --- /dev/null +++ b/queue-4.10/usb-ohci-at91-do-not-drop-unhandled-usb-suspend-control-requests.patch @@ -0,0 +1,54 @@ +From 85550f9148a852ed363a386577ad31b97b95dfb8 Mon Sep 17 00:00:00 2001 +From: Jelle Martijn Kok +Date: Tue, 21 Feb 2017 12:48:18 +0100 +Subject: usb: ohci-at91: Do not drop unhandled USB suspend control requests + +From: Jelle Martijn Kok + +commit 85550f9148a852ed363a386577ad31b97b95dfb8 upstream. + +In patch 2e2aa1bc7eff90ecm, USB suspend and wakeup control requests are +passed to SFR_OHCIICR register. If a processor does not have such a +register, this hub control request will be dropped. + +If no such a SFR register is available, all USB suspend control requests +will now be processed using ohci_hub_control() +(like before patch 2e2aa1bc7eff90ecm.) + +Tested on an Atmel AT91SAM9G20 with an on-board TI TUSB2046B hub chip +If the last USB device is unplugged from the USB hub, the hub goes into +sleep and will not wakeup when an USB devices is inserted. + +Fixes: 2e2aa1bc7eff90ec ("usb: ohci-at91: Forcibly suspend ports while USB suspend") +Signed-off-by: Jelle Martijn Kok +Tested-by: Wenyou Yang +Cc: Wenyou Yang +Cc: Alan Stern +Acked-by: Nicolas Ferre +Reviewed-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ohci-at91.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/ohci-at91.c ++++ b/drivers/usb/host/ohci-at91.c +@@ -350,7 +350,7 @@ static int ohci_at91_hub_control(struct + + case USB_PORT_FEAT_SUSPEND: + dev_dbg(hcd->self.controller, "SetPortFeat: SUSPEND\n"); +- if (valid_port(wIndex)) { ++ if (valid_port(wIndex) && ohci_at91->sfr_regmap) { + ohci_at91_port_suspend(ohci_at91->sfr_regmap, + 1); + return 0; +@@ -393,7 +393,7 @@ static int ohci_at91_hub_control(struct + + case USB_PORT_FEAT_SUSPEND: + dev_dbg(hcd->self.controller, "ClearPortFeature: SUSPEND\n"); +- if (valid_port(wIndex)) { ++ if (valid_port(wIndex) && ohci_at91->sfr_regmap) { + ohci_at91_port_suspend(ohci_at91->sfr_regmap, + 0); + return 0; diff --git a/queue-4.10/usb-serial-io_ti-fix-information-leak-in-completion-handler.patch b/queue-4.10/usb-serial-io_ti-fix-information-leak-in-completion-handler.patch new file mode 100644 index 00000000000..512f97acdbd --- /dev/null +++ b/queue-4.10/usb-serial-io_ti-fix-information-leak-in-completion-handler.patch @@ -0,0 +1,35 @@ +From 654b404f2a222f918af9b0cd18ad469d0c941a8e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 6 Mar 2017 17:36:40 +0100 +Subject: USB: serial: io_ti: fix information leak in completion handler + +From: Johan Hovold + +commit 654b404f2a222f918af9b0cd18ad469d0c941a8e upstream. + +Add missing sanity check to the bulk-in completion handler to avoid an +integer underflow that can be triggered by a malicious device. + +This avoids leaking 128 kB of memory content from after the URB transfer +buffer to user space. + +Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_ti.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -1761,7 +1761,7 @@ static void edge_bulk_in_callback(struct + + port_number = edge_port->port->port_number; + +- if (edge_port->lsr_event) { ++ if (urb->actual_length > 0 && edge_port->lsr_event) { + edge_port->lsr_event = 0; + dev_dbg(dev, "%s ===== Port %u LSR Status = %02x, Data = %02x ======\n", + __func__, port_number, edge_port->lsr_mask, *data); diff --git a/queue-4.10/usb-serial-io_ti-fix-null-deref-in-interrupt-callback.patch b/queue-4.10/usb-serial-io_ti-fix-null-deref-in-interrupt-callback.patch new file mode 100644 index 00000000000..fc04369275e --- /dev/null +++ b/queue-4.10/usb-serial-io_ti-fix-null-deref-in-interrupt-callback.patch @@ -0,0 +1,36 @@ +From 0b1d250afb8eb9d65afb568bac9b9f9253a82b49 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 6 Mar 2017 17:36:37 +0100 +Subject: USB: serial: io_ti: fix NULL-deref in interrupt callback + +From: Johan Hovold + +commit 0b1d250afb8eb9d65afb568bac9b9f9253a82b49 upstream. + +Fix a NULL-pointer dereference in the interrupt callback should a +malicious device send data containing a bad port number by adding the +missing sanity check. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_ti.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -1674,6 +1674,12 @@ static void edge_interrupt_callback(stru + function = TIUMP_GET_FUNC_FROM_CODE(data[0]); + dev_dbg(dev, "%s - port_number %d, function %d, info 0x%x\n", __func__, + port_number, function, data[1]); ++ ++ if (port_number >= edge_serial->serial->num_ports) { ++ dev_err(dev, "bad port number %d\n", port_number); ++ goto exit; ++ } ++ + port = edge_serial->serial->port[port_number]; + edge_port = usb_get_serial_port_data(port); + if (!edge_port) { diff --git a/queue-4.10/usb-serial-omninet-fix-reference-leaks-at-open.patch b/queue-4.10/usb-serial-omninet-fix-reference-leaks-at-open.patch new file mode 100644 index 00000000000..800b9233f23 --- /dev/null +++ b/queue-4.10/usb-serial-omninet-fix-reference-leaks-at-open.patch @@ -0,0 +1,37 @@ +From 30572418b445d85fcfe6c8fe84c947d2606767d8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 6 Mar 2017 17:36:38 +0100 +Subject: USB: serial: omninet: fix reference leaks at open + +From: Johan Hovold + +commit 30572418b445d85fcfe6c8fe84c947d2606767d8 upstream. + +This driver needlessly took another reference to the tty on open, a +reference which was then never released on close. This lead to not just +a leak of the tty, but also a driver reference leak that prevented the +driver from being unloaded after a port had once been opened. + +Fixes: 4a90f09b20f4 ("tty: usb-serial krefs") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/omninet.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/usb/serial/omninet.c ++++ b/drivers/usb/serial/omninet.c +@@ -142,12 +142,6 @@ static int omninet_port_remove(struct us + + static int omninet_open(struct tty_struct *tty, struct usb_serial_port *port) + { +- struct usb_serial *serial = port->serial; +- struct usb_serial_port *wport; +- +- wport = serial->port[1]; +- tty_port_tty_set(&wport->port, tty); +- + return usb_serial_generic_open(tty, port); + } + diff --git a/queue-4.10/usb-serial-safe_serial-fix-information-leak-in-completion-handler.patch b/queue-4.10/usb-serial-safe_serial-fix-information-leak-in-completion-handler.patch new file mode 100644 index 00000000000..05c8e70a18e --- /dev/null +++ b/queue-4.10/usb-serial-safe_serial-fix-information-leak-in-completion-handler.patch @@ -0,0 +1,37 @@ +From 8c76d7cd520ebffc1ea9ea0850d87a224a50c7f2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 6 Mar 2017 17:36:41 +0100 +Subject: USB: serial: safe_serial: fix information leak in completion handler + +From: Johan Hovold + +commit 8c76d7cd520ebffc1ea9ea0850d87a224a50c7f2 upstream. + +Add missing sanity check to the bulk-in completion handler to avoid an +integer underflow that could be triggered by a malicious device. + +This avoids leaking up to 56 bytes from after the URB transfer buffer to +user space. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/safe_serial.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/serial/safe_serial.c ++++ b/drivers/usb/serial/safe_serial.c +@@ -200,6 +200,11 @@ static void safe_process_read_urb(struct + if (!safe) + goto out; + ++ if (length < 2) { ++ dev_err(&port->dev, "malformed packet\n"); ++ return; ++ } ++ + fcs = fcs_compute10(data, length, CRC10_INITFCS); + if (fcs) { + dev_err(&port->dev, "%s - bad CRC %x\n", __func__, fcs);